The index-time props.conf attributes that impact indexing performance are LINE_BREAKER and SHOULD_LINEMERGE. These attributes determine how Splunk breaks the incoming data into events and whether it merges multiple events into one. These operations can affect the indexing speed and the disk space consumption. The REPORT attribute does not impact indexing performance, as it is used to apply transforms at search time. The ANNOTATE_PUNCT attribute does not impact indexing performance, as it is used to add punctuation metadata to events at search time. For more information, see [About props.conf and transforms.conf] in the Splunk documentation.

Per the Search Head Clustering (SHC) Deployer Administration Guide, the deployer is responsible for distributing configuration bundles, apps, and baseline settings to all members of a Search Head Cluster (SHC). However, the replication of knowledge objects (Option A) is not handled by the deployer.

Knowledge object replication—covering items such as saved searches, dashboards, lookups, and alerts—is managed internally within the Search Head Cluster using the captain node. The captain coordinates replication among all SHC members using a mechanism called Knowledge Object Replication Framework, which ensures that user-created or runtime configuration changes (e.g., dashboards saved in Splunk Web) are automatically shared across members.

In contrast, the deployer’s primary responsibilities include:

Deploying and updating baseline app configurations (Option B).

Distributing non-replicated, non-runtime configuration updates like props, transforms, and inputs (Option C).

Assisting in the initial migration of apps and configurations into a cluster during setup (Option D).

Therefore, while the deployer handles static configuration management, knowledge object replication is performed dynamically by the SHC itself under captain control, making Option A the correct answer.

References (Splunk Enterprise Documentation):

• Search Head Clustering: How the Deployer Works

• Managing Knowledge Object Replication in Search Head Clusters

• Splunk Enterprise Admin Manual – Deployer vs. Captain Responsibilities

• Distributing Apps and Configurations with the Deployer

According to the Splunk Search Head Clustering Troubleshooting Guide, when a Search Head Cluster (SHC) member is reverted from a backup or experiences configuration drift (e.g., an outdated Raft state), it can fail to rejoin the cluster due to inconsistent Raft metadata. The Raft database stores the SHC’s internal consensus and replication state, including knowledge object synchronization, captain election history, and peer membership information.

If this Raft metadata becomes corrupted or outdated (as in the scenario where a node is restored from backup), the recommended and Splunk-supported remediation is to clean the Raft metadata using:

splunk clean raft

This command resets the node’s local Raft state so it can re-synchronize with the current SHC captain and rejoin the cluster cleanly.

The steps generally are:

Stop the affected SHC member.

Run splunk clean raft on that node.

Restart Splunk.

Verify that it successfully rejoins the SHC.

Deleting configuration stanzas or forcing re-addition (Options B and C) can lead to further inconsistency or data loss. Reviewing logs (Option A) helps diagnose issues but does not resolve Raft corruption.

References (Splunk Enterprise Documentation):

• Troubleshooting Raft Metadata Corruption in Search Head Clusters

• splunk clean raft Command Reference

• Search Head Clustering: Recovering from Backup and Membership Failures

• Splunk Enterprise Admin Manual – Raft Consensus and SHC Maintenance

According to the Indexer Clustering Administration Guide, configuration bundles pushed from the Cluster Manager (Master Node) overwrite the contents of the $SPLUNK_HOME/etc/slave-apps/ directory on each search peer (indexer). However, Splunk provides a special persistent location — the _cluster app’s local directory — for files that must survive bundle redeployments.

Specifically, any configuration files placed in:

$SPLUNK_HOME/etc/slave-apps/_cluster/local/

will persist after future bundle pushes because this directory is excluded from the automatic overwrite process.

This is particularly useful for maintaining local overrides or custom configurations that should not be replaced by the Cluster Manager, such as environment-specific inputs, temporary test settings, or monitoring configurations unique to that peer.

Other directories under slave-apps are overwritten each time a configuration bundle is pushed, ensuring consistency across the cluster. Likewise, master-apps exists only on the Cluster Manager and is used for deployment, not persistence.

Thus, the _cluster/local folder is the only safe, Splunk-documented location for configurations that need to survive bundle redeployment.

References (Splunk Enterprise Documentation):

• Indexer Clustering: How Configuration Bundles Work

• Maintaining Local Configurations on Clustered Indexers

• slave-apps and _cluster App Structure and Behavior

• Splunk Enterprise Admin Manual – Cluster Configuration Management Best Practices

The deployer distributes apps and non-search related and manual configuration file changes to the search head cluster members. The deployer does not bootstrap a clean Splunk install for a search head cluster, as this is done by the captain. The deployer also does not distribute runtime knowledge object changes made by users across the search head cluster, as this is done by the replication factor. For more information, see Use the deployer to distribute apps and configuration updates in the Splunk documentation.

A multisite indexer cluster is a type of indexer cluster that spans multiple geographic locations or sites. A multisite indexer cluster requires only one cluster manager, also known as the master node, for the entire cluster. The cluster manager is responsible for coordinating the replication and search activities among the peer nodes across all sites. The cluster manager can reside in any site, but it must be accessible by all peer nodes and search heads in the cluster. Option C is the correct answer. Option A is incorrect because having two cluster managers for the entire cluster would introduce redundancy and complexity. Option B is incorrect because having one cluster manager for each site would create separate clusters, not a multisite cluster. Option D is incorrect because having two cluster managers for each site would be unnecessary and inefficient12

1: https://docs.splunk.com/Documentation/Splunk/9.1.2/Indexer/Multisiteoverview 2: https://docs.splunk.com/Documentation/Splunk/9.1.2/Indexer/Clustermanageroverview

Splunk Enterprise licensing is based on the amount of data that is ingested and indexed by the Splunk platform per day1. The data that counts against the license is the data that is stored in the indexes that are visible to the users and searchable by the Splunk software2. The indexes that are visible and searchable by default are the main index and any custom indexes that are created by the users or the apps3. The main index is the default index where Splunk Enterprise stores all data, unless otherwise specified4.

Option B is the correct answer because the data for the main index will count against the ingest-based license, as it is a visible and searchable index by default. Option A is incorrect because the summary index is a special type of index that stores the results of scheduled reports or accelerated data models, which do not count against the license. Option C is incorrect because the _metrics index is an internal index that stores metrics data about the Splunk platform performance, which does not count against the license. Option D is incorrect because the _introspection index is another internal index that stores data about the impact of the Splunk software on the host system, such as CPU, memory, disk, and network usage, which does not count against the license.